After the high-profile incidents at Uber and Rockstar Games, the Laspsus$ Group seems (again) to have been disrupted by an arrest, but it's unlikely we've seen and heard the last of them. Digital Shadows offers some speculation about where the group may be headed next.
Next moves for Lapsus$?
Researchers at Digital Shadows have published a report looking at the possible next moves for the cybercrime group Lapsus$. The group tends to carry out a combination of hacktivist and financially motivated crimes, although their tactics are generally opportunistic:
“If reports are to be believed, then many of the culprits for the recent attacks may receive law enforcement attention. One 17 year old in London has already been arrested on 22 Sep 22, which is likely related to the incidents involving Uber or Rockstar Games. It is realistically possible that this arrest may have a similar impact on the group’s activities to what we saw in March 22; Lapsus$ may go underground for a period in reaction to increased media and law enforcement scrutiny.
“In terms of who is likely to be targeted by the group in the future, it’s difficult to say. Lapsus$’ motivations exist within this spectrum of financially and ideologically motivated. It’s possible that the group’s targeting in the future will be highly influenced by this ideological or hacktivist incentive, going after companies that—in the eyes of the group—have committed a misdemeanor. It’s also possible that they might just select companies that have access to something the threat actors find interesting or useful, which was likely the case with Rockstar.”
There are also signs of an incipient but growing connection between the Laspsus$ Group and ransomware gangs, notably Yanluowang "Within the attack against Cisco, Lapsus$ were also attributed with activity that is consistent with pre-ransomware deployment activity," Digital Shadows points out. "Cisco observed activity linking Lapsus$ with the “Yanluowang” ransomware group, including using Yanlupwang’s data-leak site. While Lapsus$ have not been identified as specifically using ransomware in their operations at this time—and despite some in the security community claiming that they have—it is realistically possible that the group could pivot to deploy ransomware in their future operations, as a medium for extortion. This hasn’t happened yet, but it could represent a possible evolution for the group's activity."